Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
11762
Views
0
Helpful
0
Comments

Action Required: Duo Security Guide to Adopt Single Sign-On (SSO)

Ameeka
Cisco Employee
Cisco Employee

‎08-29-2025 05:36 AM - edited ‎09-02-2025 01:15 PM

[Duo Single Sign-On is available in Duo Premier, Duo Advantage, and Duo Essentials commercial plans, and is not available in Duo Federal plans. To verify which plan your organization currently utilizes, follow these steps.]

 

Cisco Duo Single Sign-On (SSO) is a powerful security solution designed to simplify user access and protect applications by providing a unified authentication experience. Complete the following steps to successfully adopt Duo SSO to streamline access, enhance security, and mitigate identity-based threats.

 

Critical Check: Have you completed the foundational steps for configuring Duo SSO?

Action: Ensure your initial setup is complete to begin your Duo SSO journey.

  • Confirm that the Owner-level administrator in your organization's Duo Admin Panel has successfully logged into the Duo Admin Panel and identified at least one web application that will be protected using Duo SSO. This is a crucial first step for integration.
    • Recommended: Add a second Owner-level Administrator to your Duo Admin Panel to prevent lockout and ensure continuous management capabilities. For steps to add a second Owner-level Administrator (or promote an existing Administrator), click here.

 

Critical Check: Is your Duo SSO implementation robust with configured authentication sources?

Action: Proceed with key implementation steps to prepare for broader deployment.

  • Once in the Admin Panel, the Owner-level Admin should navigate to Applications → SSO Settings. From here they can begin configuring Duo SSO controls such as session duration, user look-up method, and subdomain URL. This step must be completed first, in order to proceed further. (Role required: Owner, only)
  • Configure an authentication source, such as Active Directory or a SAML Identity Provider (IdP), to integrate your existing user directories with Duo SSO. (Role required: Owner or Administrator)
    • Recommended: You can now use Duo as a true identity provider, via Duo Directory. Duo now offers a cloud-based user directory for single sign-on applications and advanced security like phishing-resistant MFA, Passwordless authentication, and device trust and security posture evaluation.
    • Recommended: If you have multiple authentication sources configured for Duo SSO, Duo's Single Sign-On Routing Rules direct end-users to the correct authentication source for a more seamless, flexible sign-in experience for end-users!
  • Protect at least one application with Duo SSO to verify the end-to-end integration (Role required: Owner, Administrator, or Application Manager) For more details on completing this step, click here.
    • Recommended: Pick a named integration from your application inventory. Use Generic SAML or OIDC integrations for applications that do not exist in Duo's Application Catalog.

 

Critical Check: Are end-users actively utilizing Duo SSO? Is Duo Central configured to enhance their experience?

Action: Monitor end-user adoption and configure central access for improved usability.

  • Verify that at least two end-users have successfully authenticated using SSO within the last 7 days, indicating active usage.
  • Configure Duo Central to provide a centralized (and brand-customizable!) portal for user access to all protected applications. (Role required: Owner, Administrator, or Application Manager)

 

Critical Check: Is your organization achieving widespread adoption and a strong security posture with Duo SSO?

Action: Drive end-user engagement and utilize stronger authentication methods.

  • Aim for more than 50% of your total end-users to have fully enrolled in Duo, based on your organization's Duo license count, to maximize coverage.
  • Ensure at least one application has been protected by Duo SSO, but we recommend putting all business-critical applications behind Duo SSO for greater consistency in end-user experience.
  • Strive for more than 50% of your enrolled users to have authenticated using SSO in the last 7 days, demonstrating active and consistent usage.
  • Encourage the use of strong authentication methods (e.g. platform authenticators, roaming authenticators, Verified Duo Push, WebAuthn and Passwordlessfor more than 10% of authentications to enhance overall security against advanced threats.

 

If you've successfully completed all of the steps and checks listed above, congratulations! Your organization has taken one more step toward achieving a Universal Zero Trust Network Access (UZTNA) environment!

For a similar guide on Duo Multifactor Authentication (MFA) best practice, click here.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents